New EU regulations on cyber and access

http://www.europarl.europa.eu/news/en/news-room/content/20151207IPR06449/html/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity

The EU is clearly to be applauded for this new piece of regulation that not only recognises key vulnerabilities, but also the interconnectedness of elements that all use the web. Apart from the obvious – it’s a good thing – for security professionals I think there are 3 key takeaways::

  1. Clearly TalkTalk has convinced anyone in Government that still needed convincing that something needs to be done on cyber and access risk. We had the Chancellor announcing £1.9bn of new funding for cyber in the autumn statement. We’ve also had new “viability statements” coming into force to asking for the Board’s views on the management of risk to be formally reported to shareholders. And from the EU, what looks like the start of a fair bit of new regulation. I know some of these things have been in the works for a while, but it’s clear – Government is getting involved, and all companies will face increasing workloads on security and access control to meet the new standards.
  1. By linking Amazon and Ebay in with critical infrastructure the EU are showing they recognise that breaches form a continuum and access to banking details and essential services are not completely separate things. Losing personal information is distressing, but losing control of a train would be tragic. Of course critical infrastructure doesn’t have to use the internet, but when contractors are being pushed on price and their components need to talk to each other, the internet is the only viable choice. Remember that in the world of modern automation, a train isn’t necessarily an entity, it could be a collection of components (engine, wheels, brakes) that all communicate with each other via the net.
  1. There’s also a recognition that all the security in the world won’t protect you if your employees are giving away the crown jewels. It’s often not malicious, but staff don’t take as much care with data as they should. Which is why measuring and enforcing “least privilege” is one of the most effective and cost effective steps a company can take. In case anyone is in any doubt Intermedia’s 2015 Insider Risk Report, reported 32% of IT professionals have given out their login and password to other employees, with 31% saying they would take data from their company if it could positively benefit them.

At Idax, we’re noticing changes already. Senior management want to understand their vulnerability and a quick access rights reviews has immediate benefits. One thing that we’ve done quite a bit is quick reviews of access rights. Using our analytics, we can tell within a few hours who the staff with unusual access are, which is an easy first step on the route to obtaining least privilege and staying there. What’s clear is that any company embarking on a programme to address access risk will not only be one step ahead of the hackers, but get an early start on new legislation too.

 

 

Carphone data breach: 2.4m records hacked.

Once again 2015 proves to be the year of the data breach. Or maybe 2.4 million Dixons Carphone records going missing is just an example of the new normal. But then again none of this is new, and data breaches and loss of critical data has been with us for as long as data has. So here’s a bit of historical perspective.

When I started as a consultant back in the 1980s one of the first assignments I worked on was for the old Dixons group. They had found out that at least one competitor had been getting hold of their prize data assets – at that time it was a Sales Report that had all their product lines, what was the cost of each item, the retail price, how many they sold and in which shop they sold them. Remember, in the 80’s retailers did not have good customer information and this Sales Report was the crown jewels.

Of course, it was printed on paper and bound before being distributed, but some things never change. In the end the breach turned out to be an insider who was selling monthly Sales Reports on. As a junior consultant my job was to compile a list of everyone who got the report. But the thing that really struck in my mind was that the majority of people who received the report didn’t really use it. It was more an indication of how important they were. So really a chronic lack of least privilege discipline leading to serious data breaches – nothing new under the sun.

A recent report from the Ponemon Institute reports that 71% of staff think they have access to company data they should probably not see. So what’s the answer? Well at idax towers we believe that traditional manager reviews are failing. What we and an increasingly large numbers of clients think is that manager intervention supported by analytic context and insight is the answer. Of course Dixons in the 1980s had an excuse for data breaches. They didn’t have the tools to enforce least privilege. But in the 2010s there’s really no excuse.

Idax Software v2.0 launch at Infosec 2015

So  the last minute – “post implementation, I’ll just do one more check” – testing is finished. Our stand is up with all our artwork and we’re all really excited about InfoSec 2015 which starts tomorrow.

To be honest what I most enjoy about trade shows is the client contact. There’s nothing like real-time feedback from clients and potential clients, and hopefully some validation too. That’s the thing about being part of a small company and being passionate about what we do – I just love listening to peoples real life issues and talking to them about how Idax can address them. Corny, but true – that’s why we’re here.

So come and see us on stand K71 if you’re at Olympia this week. I promise you that in addition to some great software we have a few other surprises in store.

http://www.infosecurityeurope.com/Olympia

Improving Access Reviews – 5 things you should consider when you sit down to do your quarterly reviews

Most managers in most big companies will be familiar with periodic access reviews. Once a quarter an email arrives telling you to review all staff access. You have an hour before your next meeting to review 10 team members, each of whom have access to about 50 systems and none of the systems has a name you recognise. Your heart sinks; it’s a time consuming task and you have no evidence that what you’re doing is correct or even useful. Well, based on Idax’s research you’re right – about 15% of all reviewed access rights are removed and the effectiveness is no better than random. So what should you do?Read More

Fast Scalable Analytics – The future of Identity Management

Fast Scalable Analytics – The future of Identity Management. The last few years have seen technology platforms proliferate and with that has come increasing insider access threats. It’s becoming obvious that Identity Management (IAM) tools that were fit for purpose a decade ago are now struggling to manage the complexity and scale of access.

Those in a corporation, will be familiar with regular access reviews. An email arrives with a long list of staff, an even longer list of privileges, and a thinly veiled threat to take the review very seriously indeed. What is missing is any contextual information that might allow for a good decision. At heart this betrays a misconception about IAM risk. But this is also where analytics can deliver dramatic benefits.Read More